Yellow Dog Security Advisory: YDU-20030127-3
yellowdog-updates@lists.terrasoftsolutions.com
yellowdog-updates@lists.terrasoftsolutions.com
Mon, 27 Jan 2003 01:08:28 -0700 (MST)
Yellow Dog Linux Security Announcement
--------------------------------------
Package: vim
Issue Date: January 27, 2003
Priority: medium
Advisory ID: YDU-20030127-3
1. Topic:
Updated vim packages are available.
2. Problem:
"VIM (Vi IMproved) is a version of the vi editor.
VIM allows a user to set the modeline differently for each edited text
file by placing special comments in the files. Georgi Guninski found
that these comments can be carefully crafted in order to call external
programs. This could allow an attacker to create a text file such that
when it is opened arbitrary commands are executed.
Users of VIM are advised to upgrade to these errata packages which
have been patched to disable the usage of dangerous functions in
modelines."
(from Red Hat Advisory)
3. Solution:
a) Updating via apt...
We suggest that you use the apt-get program to keep your
system up-to-date. The following command(s) will retrieve
and install the fixed version of this update onto your system:
apt-get update
apt-get install vim
b) Updating manually...
Download the updates below and then run the following rpm command.
(Please use a mirror site)
rpm -Fvh [filenames]
ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/
ppc/vim-common-6.1-17.7x.2a.ppc.rpm
ppc/vim-enhanced-6.1-17.7x.2a.ppc.rpm
ppc/vim-minimal-6.1-17.7x.2a.ppc.rpm
ppc/vim-X11-6.1-17.7x.2a.ppc.rpm
4. Verification
MD5 checksum Package
-------------------------------- ----------------------------
b286bd901010634b69a8fd09e7dfb785 ppc/vim-common-6.1-18.7x.2a.ppc.rpm
804e3f6b21255656acaa07b48bff276e ppc/vim-enhanced-6.1-18.7x.2a.ppc.rpm
d525f6f668095b93f4d7cfa9194fff5c ppc/vim-minimal-6.1-18.7x.2a.ppc.rpm
f9da0f1d03ece2214b80b6558bb7cc8f ppc/vim-X11-6.1-18.7x.2a.ppc.rpm
c150247335affb03eab1ca01b7eb45d7 SRPMS/vim-6.1-18.7x.2a.src.rpm
I wish to verify that each package has not been corrupted or tampered with,
examine the md5sum with the following command: rpm --checksig --nogpg filename
5. Misc.
Terra Soft has setup a moderated mailing list where these security, bugfix, and package
enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more
information.
For information regarding the usage of apt-get, see:
http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml